GENERAL AUDIT APPROACH IN INFORMATION SYSTEMS

1
GENERAL AUDIT APPROACH IN INFORMATION SYSTEMS
2
OBJECTIVES

• Understand how controls are evaluated
• Describe various steps and tasks to be followed
  to effectively perform an information systems
  audit
• Identify methods, tools and techniques an auditor
  uses in accomplishing the audit objectives

3
AUDIT OF CONTROLS

• Audit is an evaluation of adequacy controls
• Security policy and standards
• Verify whether security policy exists
• If exists, study for its adequacy, currency and
  procedures for updating
• If not exists, mention in the audit report with
  suggested contents
• A corporate security policy is important to
  ensure security awareness through the
  organization and enforcement of security
  standards

4
AUDIT OF CONTROLS

• Steering Committee
• One member at Board level, Manager of IS, manager
  of User departments
• Changes to existing systems and procedures
  approved by SC
• If a committee does not exist, the auditor should
  include in report and recommend formation of
  committee, specify duties and responsibilities
  and highlight the benefits
• Business Continuity Planning
• Verify whether organization has well-documented
  and updated BCP
• Verify its effectiveness and seek evidence of
  frequency testing of plan, adequacy, currency and
  suggest improvements

5
AUDIT OF CONTROLS

• Systems Development Methodology
• Requires strict documentation and procedures
• Lack of documentation, ad hoc changes to
  programs, different versions of same program
  running in different branches and program
  development are inadvisable procedure
• Auditor should make a mention of lack of
  procedure, highlight impact of such lapses and
  suggest remedial measures
• Operational Controls
• Verify procedures for physical access to
  computerized environment
• Observe the entry system to verify effectiveness
  of restrictive measures

6
AUDIT OF CONTROLS

• Environmental Control
• The working condition of equipments and
  maintenance schedule needs to be checked
• E.g. temperature control equipment,
  air-conditioning, smoke detectors.
• Auditor should make comments on this aspect
• Electric supply
• Existence and efficacy of voltage stabilizers
  need to be examined
• Organizational Control
• Auditor should ask names of employees in IT
  department, their responsibilities and duties
• Where irregularities are found, auditor should
  highlight and suggest corrective actions

7
GENERAL APPROACH TO PERFORM AN AUDIT

• Purviewing the environment
• Understand IS
• Identifying audit risks
• Identifying audit evidence
• Identifying key control points
• Identifying control weaknesses
• Verifying veracity of computer files
• Conducting audit tests
• Concluding the audit

8
PURVIEWING THE ENVIRONMENT

• Auditor should purview environment for the
  following reasons
• Understand environment in which application is
  being run
• Meet data processing and auditee department to
  prepare list of personnel
• Assess if computer center has the capacity and
  capability to run audit software
• Improve auditors IT knowledge base learning
  experience
• Understand scope of audit and decide areas to
  concentrate on

9
PURVIEWING THE ENVIRONMENT

• Tasks to perform while purviewing the
  environment
• Understand audit objectives
• Define the scope
• Conduct initial interview
• Obtain background information
• Understand audit objectives to get clear
  perspectives on the objectives
• Has the areas been audited?
• When was it last audited and what were the
  result?
• Reason as to why the area has been chosen for
  auditing?
• Any apprehension about problem existing in the
  area or do problem already exist?

10
PURVIEWING THE ENVIRONMENT

• Define the scope four Ts which constrain the
  scope of an IT audit
• Time auditor need to spend time with personnel
  and computer
• Talent specialized skills required for an IS
  audit
• Tools specific audit software tools and
  availability of audit staff to utilize them
• Travel collection of adequate evidence with
  distributed data processing

11
PURVIEWING THE ENVIRONMENT

• Conduct initial interview audit team should
  meet the personnel of the auditee department and
  project team of the IT department
• Senior official should also actively associated
  to ensure that IT and auditee department
  cooperate with audit team

12
PURVIEWING THE ENVIRONMENT

• Obtain background information essential
  information to acquire proper perspective on
  audit objectives through
• Previous work papers
• Interviews obtain information about
  organization (organizational chart, write up
  about IS to be audited, internal/external audit
  report)
• obtain information from IT department
  (organizational chart, policies, procedures,
  standards, detailed list of all hardware and
  operating system)

13
UNDERSTANDING INFORMATION SYSTEMS

• It is important to
• Understand the terminology and technical jargon
• Familiarize himself with the necessary computer
  concepts
• Gather all possible documentation and understand
  the same
• Auditor should not get lost in technical details
  density of floppy, speed of the processor etc.
• Concentrate on IS objectives, understand flow of
  data, and identify audit evidence

14
UNDERSTANDING INFORMATION SYSTEMS

• Steps involve to understand the information
  systems are
• Discussion with staff regarding IS and collection
  of relevant documents
• Develop an application flow chart
• Verify application flow chart with concerned
  project team in IT department

15
UNDERSTANDING INFORMATION SYSTEMS

• Discussion with the staff auditee department
  and project team in IT department to be met to
  collect necessary documents
• Documentation from auditee dep. explain
  non-technical terms what the IS is expected to
  achieve
• Documentation from IT dep. provide details as
  to how exactly system functions
• An auditor should
• Perform input transaction walk through (list
  different types of transactions)
• Perform systems walk through (understanding of
  computer systems with its different programs)

16
UNDERSTANDING INFORMATION SYSTEMS

• Peruse the documentation (details of functioning
  of the system, IS objectives and other necessary
  details for the auditor to understand system)
• Preparation of an application flow chart makes
  use of symbols and provides an easy-to-follow
  pictorial representation of processing flow
• Auditors should prepare the flow charts
  themselves
• Verification of application flow chart verify
  accuracy and completeness of flow chart prepared
  by the auditor to the IT project team
• Ensure that auditor has correctly understood
  details of IS

17
IDENTIFYING AUDIT RISKS

• Auditor should evaluate all risks physical
  threats(fire, flood, earthquake, storm,etc) and
  others(human errors, omissions, etc)
• Steps involve
• Identify risks - Auditor should be familiar with
  application as also IT environment in which
  applications have been developed
• Determine magnitude of risks and prioritize them
  evaluate risks and prioritize them to their
  magnitude
• Study the controls for their adequacy

18
IDENTIFYING AUDIT RISKS

• Commonly associated risks in an IT environment
• Unreasonable processing wrong value entered in
  computer system
• Repetition of errors single error in data is
  sufficient to produce large volume of error
• Cascading of error initial error gives rise to
  another error and so on
• Incorrect entry of data data which is properly
  authorized could be entered incorrectly e.g.
  on-line system
• Concentration of responsibilities in one area
  distributed responsibility for implementing
  control among many persons, would highlight any
  failure

19
IDENTIFYING AUDIT EVIDENCE

• Evidence is needed to support input, processing
  and output
• Clear understanding of the evidence and its
  identification forms the foundation for
  conducting an effective audit
• Different types of electronic evidence
• Computer transactions
• Source code of program
• Processing logs
• System documentation
• Program documentation
• User documentation
• Error messages

20
IDENTIFYING AUDIT EVIDENCE

• Steps involve to identify evidence
• Prepare an exhaustive list of all evidence
  produced by system prepare data flow diagram
  that records evidence internal to IS
• Evidence external to system can be obtained from
  users/system analyst/programmers/security officer
  
• Documenting audit evidence auditor should know
  the following
• Medium data contained in hard disc, floppy or
  tape
• Format data is stored in different
  ways(serially, consequentially, etc)
• DBMS data in independent of applications
• Backup period period of preservation of data
• Frequency of creation familiar with frequency
  of creation of file
• Composition of data on the file gather
  information regarding records, formats and layouts

21
IDENTIFYING KEY CONTROL POINTS

• Auditor need to concentrate on risks of higher
  magnitude and the key controls
• Key control points are points in system where
  risk is the greatest and controls most important
• Methodology to assess the weaknesses in control
  points
• Check List or Questionnaire
• Matrix
• Control flow chart

22
IDENTIFYING KEY CONTROL POINTS

• Questionnaire should be tailored to the
  customers need
• Check list provide an exhaustive list of items
• Disadvantage
• Difficult to understand unless auditor is
  computer literate
• Compensating controls ignored
• Matrix is prepared with list of probable
  weaknesses on one side of the matrix and controls
  to strengthen the weaknesses on the other

23
IDENTIFYING KEY CONTROL POINTS

• Data flow diagram is a graphic presentation of
  the transaction flow is prepared
• Locating risk on DFD anticipate type of risk
  and envisage control that need to be built in
• Document the key control on DFD flow charts
  should be prepared and documented

24
IDENTIFYING CONTROL WEAKNESSES

• Auditor need to assess areas where probability of
  error is high
• Steps are taken to concentrate on this area to
  strengthen probable weakness
• Control weaknesses are determined by an auditor
  utilizing his power of judgement
• Common adopted methodology of identification of
  control weakness are
• Control flow chart
• Conflict matrix
• Transactions/control matrix

25
IDENTIFYING CONTROL WEAKNESSES

• Control flow charting is a good technique for
  identifying risks and key controls
• Conflict matrix is a method of identifying a
  conflict of interests. Includes the following
• Identifying people
• Identifying conflict actions
• Completing the matrix

26
IDENTIFYING CONTROL WEAKNESSES

• Transaction/control matrix is concerned with
  those transaction which make an economic
  commitment to the organization
• Result in inflow or outflow of cash
• Process of control assessment consists of
• Identifying risks study of DFD should identify
  risks
• Assessing magnitude of risk estimate risks in
  terms of absolute figures
• Assessing strength of controls identify control
  and estimate their effectiveness
• Document identified control weaknesses by
  assessing control weaknesses, evaluating
  magnitude of risk, assessing cost of control and
  performing audit tests

27
VERIFYING VERACITY OF COMPUTER FILES

• Information on files for conducting audit must be
  complete and accurate
• Tasks to be performed by the auditor to verify
  veracity of files are
• Decide on the files to be examined files
  selected are those which are needed to test
  weaknesses areas identified
• Save computer files required files are
  available on time for audit by making copy of
  appropriate master file
• Verify integrity of computer files and data by
  comparing totals of specific fields of records
  with predetermined totals
• Ensure that files contain all data he wants

28
CONDUCTING AUDIT TESTS

• Test some transactions on computer file using
  different tools and techniques to perform
• Computations add, subtract, multiply, divide
• Compare two fields
• Sort data in a required manner
• Summarize and total data
• Select data from a file based on a predetermined
  basis
• Before performing a test, auditor should
  complete
• Clearly deciding what is expected form audit test
• Once the decision is taken on what to test,
  determine how to accomplish it

29
CONDUCTING AUDIT TESTS

• Steps followed to perform an audit test
• Design a test decide about computer file and
  other electronic evidence, statement of test
  objective, identification of information other
  than computer file
• Select the tool audit tool may be special
  purpose or general purpose
• Test the tool test audit software program and
  familiarize with usage of the tool
• Execute and use test result live production
  data should be used in the place of test data

30
CONCLUDING THE AUDIT

• Conclude the original objectives, determine the
  audit findings and present recommendations
• Highlight weaknesses detected during audit,
  causes, magnitude of impact of weaknesses and
  corrective actions
• Tasks involve in concluding audit
• Develop findings examines condition and notes
  down significant variation
• Should be factual and discovered by auditor
• Based on standards or guidelines against
  conditions evaluated
• Effect, impact and significance of the variance

31
CONCLUDING THE AUDIT

• Develop audit recommendation carefully if it is
  useful and feasible
• Thoroughly understand existing system
• Clearly state audit findings
• Consider different alternatives considering cost
  benefits for each solutions
• Write audit report
• Executive summary highlighting salient features
• Explicit recommendation highlighting impact of
  weaknesses and action to be taken
• Technical jargons avoided